Key Due Diligence Practices for Government Contractor M&A

Buying a government contractor isn’t like buying a normal business. In a “regular” deal, you worry about customers leaving. In a govcon deal, you worry about customers leaving and your contracts refusing to move with the business, your small-business status evaporating, your cybersecurity posture failing a clause you didn’t know you had, and an auditor asking why your timekeeping system looks like it was designed by a raccoon at 2 a.m.

The good news: government contractor M&A due diligence is absolutely manageable when you run it like a disciplined programone that treats compliance, contract mechanics, and regulatory risk as value drivers (or value destroyers) instead of “legal fine print.” This guide walks through the due diligence practices that consistently matter most, with practical examples and a few reality checks to keep everyone honest.

Why GovCon M&A Due Diligence Is Different

Government contracts come with rules about who can perform, how performance is measured, and what happens when ownership changes. Your diligence needs to answer three questions early:

• Will the revenue transfer cleanly? (Think novation, change-of-name agreements, and change-of-control notices.)
• Will eligibility survive? (Think small-business size/affiliation, set-aside programs, clearances, and teaming.)
• Will risk show up later as a bill? (Think audits, pricing issues, labor compliance, cyber incidents, and False Claims Act exposure.)

1) Start With a Contract “Source of Truth” (Not a Spreadsheet of Hope)

Before you evaluate risk, you need a reliable map of what the target actually sells to the government. Build a contract inventory that ties each contract and task order to:

• Customer & vehicle: agency, bureau, contracting office, and whether it’s under a GWAC, IDIQ, GSA Schedule, or single-award contract
• Contract type: FFP, cost-reimbursement, T&M/Labor Hour, hybrid CLINs
• Funding reality: obligated vs. ceiling; funded value vs. total potential value
• Performance status: option periods, key milestones, subcontract dependencies, and whether performance is on track
• Margin mechanics: indirect rate assumptions, escalation, award fees, incentive structures, and pricing refresh timing

Practical example

A buyer sees a $120M “backlog” headline. Diligence reveals only $38M is currently obligated, a large portion is option-year dependent, and the contract type is T&M with tight labor category ceilingsmeaning the margin is only “real” if labor mix and utilization behave perfectly. Spoiler: labor rarely behaves perfectly.

2) Analyze Transferability Early: Deal Structure Drives Contract Risk

In govcon, the legal structure of the transaction can be a revenue eventor a revenue interruption. The key issue is whether contracts can move to the buyer (or remain with the same legal entity) without breaking rules that restrict assignment.

Novation vs. stock sale (and why your banker suddenly cares)

Asset deals often require a novation agreement so the government recognizes a successor in interest when contractor assets are transferred. A novation process can take time and documentation, and you should treat it like a mini-project plan, not a post-close afterthought.

Stock deals typically avoid novation because the contractor entity stays the sameit just has new owners. That doesn’t mean “no work required,” though. You may still need customer communications, security reviews, change-of-control notices under specific agreements, or a change-of-name agreement if branding or corporate structure changes.

Due diligence actions that prevent expensive surprises

• Identify every contract that might require novation (or a customer consent) under the contemplated structure.
• Ask whether any subcontracts need interim solutions while novation is pending.
• Review contract clauses and agency policies for change-of-control notification obligations.
• Pressure-test timing: What happens if novation takes 6–12 months? Can the business operate smoothly in the interim?

3) Small Business Status and Set-Aside Eligibility: Value Can Disappear Overnight

If the target’s growth strategy relies on set-aside work (8(a), SDVOSB, HUBZone, WOSB/EDWOSB, small business set-asides), then size and affiliation rules are not a side issuethey’re the business model.

What to verify

• NAICS codes and size standards applied to the target’s key contracts
• Affiliation risk (common ownership, control rights, negative control, identity of interest, etc.)
• Recertification triggers tied to mergers, acquisitions, and orders under multiple-award contracts
• Program compliance history: any size protests, SBA inquiries, or certification issues

Limitations on subcontracting: the silent profit killer

Set-aside contracts often include limitations on subcontracting that cap how much work can be pushed to entities that are not “similarly situated.” If the target is winning as a small business but performing like a general contractor who subcontracts everything, you may inherit a compliance headache with real repayment risk.

Practical example

A target wins small-business set-aside service contracts by proposing an attractive subcontractor team. Post-close, the buyer consolidates delivery using its large-business affiliate “for efficiency.” The performance model quietly violates subcontracting limitationsturning “synergies” into a compliance exposure.

4) Compliance Program and Enforcement Exposure: Assume Someone Will Ask

Government contractors live under a special kind of visibility. The “paper trail” is not optional, and enforcement risk isn’t theoretical. A strong diligence workstream reviews both what the target does and how the target proves it did it.

Key compliance areas to diligence

• Ethics and internal controls: code of conduct, hotline, investigations process, disciplinary consistency, training cadence
• Mandatory disclosure readiness: policies for evaluating and disclosing credible evidence of certain violations
• False Claims Act risk factors: billing accuracy, labor charging, deliverable acceptance, cybersecurity representations, and subcontractor oversight
• Organizational conflicts of interest (OCI): impaired objectivity, biased ground rules, and unequal access to information
• Suspension/debarment signals: any integrity issues, terminations, or responsibility determinations

Practical example

During diligence, you find a “perfect” margin profile on a cost-reimbursement contract. Then you discover a pattern of late timecard approvals and weak segregation of duties in expense approvals. That’s not just “messy ops”it’s the kind of control weakness that can create questioned costs, repayment demands, and in the worst cases, allegations that get very expensive very fast.

5) Audit and Pricing Diligence: Follow the Money (and the Methodology)

Govcon financial diligence isn’t only about EBITDA. It’s about whether revenue, costs, and billing were handled in a way that survives scrutiny by contracting officers, auditors, and investigators.

Core diligence topics

• DCAA/DCMA audit history: open findings, recurring issues, incurred cost audit status, and adequacy rejections
• Indirect rate structure: rate pools, allocation bases, consistency, and whether provisional billing rates match reality
• Timekeeping discipline: who can edit timecards, approval workflow, training, and monitoring
• Cost allowability: executive compensation, travel, entertainment, lobbying, consultant costs, and related-party transactions
• Truthful cost or pricing data / defective pricing risk: proposal support, data currency controls, and post-award audit exposure
• Cost Accounting Standards (CAS): applicability, exemptions, and whether practices are documented and followed consistently

Practical example

A target has a large cost-type portfolio and “great cash flow.” Diligence shows they’ve been billing based on outdated provisional rates for multiple years, their incurred cost submissions are behind, and they rely on aggressive cost interpretations (especially around consultant labor and travel). If final negotiated rates move against them, that “great cash flow” can reversehard.

6) Labor and Workforce Compliance: Your Most Valuable Asset Also Has Rules

Many government contractors are labor-driven businesses. That means labor law overlays, wage determinations, and benefit requirements can materially affect both cost and riskespecially when you inherit a workforce mid-performance.

What to review

• Service Contract Act (SCA) and Davis-Bacon Act (DBA) exposure: correct classifications, fringe benefits, and wage determinations
• Collective bargaining agreements: successorship obligations, rate escalations, and benefit commitments
• Recruiting and retention risk: clearance-holding personnel, key program managers, and non-compete/enforceability issues
• Subcontractor labor compliance: flow-downs and monitoring of labor categories and minimums

Practical example

The target underbids by assuming commercial pay rates. But the contract is SCA-covered, and the correct wage determination adds significant fringe benefit costs. If the target “made it work” by misclassifying labor categories, the buyer may inherit both financial leakage and back-wage exposure.

7) Security Clearances and FOCI: The Deal Can Trigger a National Security Review

If the target performs classified work, due diligence must include a clearance workstreamperiod. Facility clearances, personnel clearances, and classified program access have their own logic, and they don’t care that the LOI says “close by end of quarter.”

What to diligence for cleared contractors

• Facility clearance (FCL) status: level, sponsoring relationships, and compliance history
• FOCI exposure: whether foreign ownership, control, or influence is triggered by the buyer, investors, or governance rights
• Mitigation requirements: need for agreements (e.g., proxy/SSA/VTA) and what that means for board control and operations
• SF-328 and documentation: whether prior submissions were accurate and whether corporate family reporting is clean
• Timeline planning: clearance and mitigation changes can affect closing sequencing and post-close governance

Practical example

A private equity buyer uses a fund with foreign limited partners and governance rights that look routine in commercial deals. In cleared contracting, those rights can trigger FOCI concerns and require mitigation that changes who can sit on the board and who can access certain information. If you find this out after signing, you’ll get a crash course in “deal friction.”

8) Cybersecurity and Data: DFARS, NIST, and CMMC Are Now Deal-Level Issues

Cyber due diligence for defense-focused contractors is no longer a “good practice.” It’s increasingly a contract eligibility requirement, tied to DFARS clauses and formal programs.

Minimum cyber diligence checkpoints

• DFARS safeguarding and incident reporting obligations: confirm whether the target handles CUI or CDI and how incident reporting is managed
• NIST SP 800-171 posture: System Security Plans (SSPs), Plans of Action & Milestones (POA&Ms), assessment evidence, and continuous monitoring
• Flow-down management: subcontractor compliance and how the target verifies it
• CMMC readiness: required level by program, certification status, and gaps that could block future awards
• SPRS and assessment history: where applicable, verify posted scores/assessments and supporting documentation

A note on CMMC timing (and why buyers care right now)

With CMMC requirements moving into contract enforcement through DFARS implementation, buyers should treat cyber readiness like a bid/no-bid gate. If the target can’t meet the required CMMC level for its growth pipeline, you’re not buying “future revenue”you’re buying a very expensive to-do list.

9) Past Performance, Claims, and “Soft” Risk That Still Impacts Price

Government customers remember. Past performance systems and contract files can influence recompete wins, responsibility determinations, and buyer confidence.

What to examine

• Past performance records: CPARS narratives, trends, and disputes
• Contract health: cure notices, show-cause letters, terminations (for convenience or default), and corrective action plans
• Claims and disputes: Contract Disputes Act claims, REAs, litigation, and settlement history
• Customer concentration and recompete dependence: identify cliff risk and the real cost of rebidding

Practical example

A target looks diversified across “multiple agencies,” but 65% of revenue rides on a single IDIQ where the next task order cycle is expected to be fiercely competed. Add a couple of “Marginal” CPARS ratings, and suddenly valuation needs to reflect execution risknot just last year’s revenue.

10) Build the Diligence Output Buyers Actually Use

The best diligence deliverable isn’t a 200-page memo that no one reads. It’s a clear, prioritized view of what can break value, what can be fixed, and what must be priced or structured.

Recommended output format

• Red / Yellow / Green risk register with owner, mitigation plan, timeline, and estimated value impact
• Deal-structure notes (e.g., novation plan, clearance sequencing, small business recertification strategy)
• Rep & warranty focus list tailored to govcon: audits, billing, cyber, ethics, OCI, labor, and set-aside compliance
• Post-close integration plan that includes compliance controls, reporting cadence, and customer communications

Conclusion

Government contractor M&A due diligence is ultimately about protecting the two things buyers care about most: contract revenue that survives the transaction and risk that doesn’t boomerang back as a repayment, suspension, or investigation. The winning approach is specialized but not mysticalinventory contracts rigorously, align deal structure with transfer mechanics, verify eligibility rules, stress-test audit and pricing exposure, and treat cyber and clearance issues as first-class diligence topics.

If you do that, you don’t just avoid surprisesyou build an integration plan that makes the acquisition perform the way the model promised. And that’s the kind of magic everyone can agree to, even the contracting officer.

Experience-Based Lessons Deal Teams Commonly Learn the Hard Way (So You Don’t Have To)

1) “We’ll handle novation after close” is how timelines get wrecked. In many deals, teams discover that the novation package isn’t just a formit’s a documentation project involving corporate records, asset schedules, assumptions of liabilities, and evidence that performance will continue without disruption. The most successful teams treat novation like a parallel workstream with its own checklist, deadlines, and stakeholder map. When they don’t, program teams get stuck in limbo: the work must continue, the customer wants continuity, but the administrative friction slows modifications, funding actions, and sometimes even invoicing changes. The lesson: build a novation-ready binder early (even if you think you won’t need it), and plan customer communications like you’re managing a sensitive relationshipbecause you are.

2) Small business status can be “the product,” not just a label. A recurring experience in govcon acquisitions is watching a target’s go-to-market strategy hinge on set-aside eligibility. Buyers often learn that what they thought was a standard roll-up strategy can unintentionally trigger affiliation or recertification outcomes that shrink the future pipeline. The practical lesson: diligence isn’t only about confirming the target is small today; it’s about modeling what happens to future orders, options, and bids once ownership and control rights change. When buyers plan for this up front, they can sequence growth (or restructure governance) to preserve eligibility where it matters and pivot strategy where it doesn’t.

3) Cyber due diligence is no longer a “technical appendix.” Deal teams increasingly report that cybersecurity posture becomes a gating item for future awardsespecially in the defense industrial base. A common pattern: the target has an SSP, a few policies, and a confident “we’re compliant” statement… but evidence is thin, subcontractor flow-downs are informal, and incident response is more “call Bob” than “repeatable process.” The buyer then inherits a sprint: close gaps, prepare for assessments, and align vendors and managed service providers with contract requirements. The lesson: ask for evidence, not vibesscreenshots, logs, training records, POA&Ms with owners and dates, and proof that requirements flow down and get verified.

4) Timekeeping and expense controls are boring until they become expensive. Many practitioners have seen otherwise strong businesses stumble because “everyone knows how to charge time.” In reality, inconsistent approvals, after-the-fact edits, weak segregation of duties, or casual handling of travel and consultant costs can translate into questioned costs and repayment exposure. The lesson: diligence should test controls like an auditor wouldwho can edit, who approves, how exceptions are documented, and whether practices match written policies. If the target is cost-type heavy, this is not optional.

5) Clearance and FOCI issues change governance in ways commercial buyers don’t expect. In cleared deals, teams often learn that standard investor protectionsveto rights, board seats, information rightscan look like “control” in a national security context. When FOCI mitigation becomes necessary, governance can shift dramatically: proxy holders or outside directors may be required, access to certain information may be restricted, and operational tempo can be affected. The lesson: involve clearance specialists early, map ownership and control down to the real decision rights, and don’t assume a typical private equity governance package will survive unchanged.

6) The best integrations don’t wait for problemsthey operationalize compliance. A strong post-close plan usually includes a practical cadence: quarterly compliance reviews, contract-by-contract risk scans, updated training, and a clear escalation path for issues. Teams that do this report fewer surprises and better customer confidencebecause the business can explain and prove what it’s doing. The lesson: integration isn’t just systems and org charts; in govcon, it’s also controls, documentation, and disciplined habits that keep revenue “clean.”